On Jun 23, 2015, at 15:41 , Rhoads, Robert W. <[email protected]> wrote:
> [mschapv2] # Executing group from file
> /usr/local/pf/raddb/sites-enabled/packetfence-tunnel
> [mschapv2] +group MS-CHAP {
> [mschapv2] ++? if (PacketFence-Domain)
> [mschapv2] ? Evaluating (PacketFence-Domain) -> FALSE
> [mschapv2] ++? if (PacketFence-Domain) -> FALSE
> [mschapv2] ++else else {
> [mschap] Creating challenge hash with username: testuser
> [mschap] Client is using MS-CHAPv2 for testuser, we need NT-Password
> [mschap] expand: %{Stripped-User-Name} ->
> [mschap] ... expanding second conditional
> [mschap] expand: %{User-Name} -> DOMAIN\\testuser
> [mschap] expand: %{%{User-Name}:-None} -> DOMAIN\\testuser
> [mschap] expand:
> --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} ->
> --username=DOMAIN\\testuser
> [mschap] Creating challenge hash with username: testuser
> [mschap] expand: %{mschap:Challenge} -> 7ab7634b9bcb90f6
> [mschap] expand: --challenge=%{%{mschap:Challenge}:-00} ->
> --challenge=7ab7634b9bcb90f6
> [mschap] expand: %{mschap:NT-Response} ->
> a99a0a0cad4f55ceb7938ea9b2ee55a245b29063967c5ca7
> [mschap] expand: --nt-response=%{%{mschap:NT-Response}:-00} ->
> --nt-response=a99a0a0cad4f55ceb7938ea9b2ee55a245b29063967c5ca7
> Exec output: Logon failure (0xc000006d)
> Exec plaintext: Logon failure (0xc000006d)
> [mschap] Exec: program returned: 1
> [mschap] External script failed.
> [mschap] FAILED: MS-CHAP2-Response is incorrect
Assuming DOMAIN\testuser is to replaced here by your actual domain and
username, you first need to make sure that the ntlm_auth works independently
from packetfence and freeradius.
All that freeradius really does is call that executable and pass is arguments
based on the username and domain received in the RADIUS request.
So, try to see if the join is valid first:
# net ads testjoin
If it is, then try to see if you can manually authenticate:
# ntlm_auth —username=DOMAIN\\testuser —password=yourpasswordhere
See what that says.
Regards,
--
Louis Munro
[email protected] :: www.inverse.ca
+1.514.447.4918 x125 :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)------------------------------------------------------------------------------
Monitor 25 network devices or servers for free with OpManager!
OpManager is web-based network management software that monitors
network devices and physical & virtual servers, alerts via email & sms
for fault. Monitor 25 devices for free with no restriction. Download now
http://ad.doubleclick.net/ddm/clk/292181274;119417398;o
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
